Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c2c0c6e03047e4c…

MALICIOUS

PDF

78.7 KB Created: 2021-05-03 18:31:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d49c4b21fc8ead8dc08471780be74d6c SHA-1: 27d9405225a59fde8d14543af3aede89e6501a28 SHA-256: 3c2c0c6e03047e4c90c4e289b9dec6280b6c6b0a02468e22116ddbdbda16e91f
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are associated with SEO link farms, suggesting a malicious intent to distribute content or redirect users. The presence of a 'Fake invoice / payment lure' heuristic further supports the phishing or scam nature of the document. While no scripts were explicitly extracted, the PDF structure and numerous external links indicate it's designed to lead users to malicious sites, likely for initial access via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=dvoretsky%2527s+endgame+manual+pdf+drive
    • https://cdn.sqhk.co/siwuvulutip/jcggggN/51912912455.pdf
    • https://kobuvedubi.weebly.com/uploads/1/3/4/0/134017802/96049bcb064c9e.pdf
    • http://tihefers.online/eclipse_c_linuxo8zcz.pdf
    • http://pelistens.xyz/ark_survival_evolved_mod_apk_ios1c6li.pdf
    • https://naketutetan.weebly.com/uploads/1/3/4/6/134660231/7176027.pdf
    • https://luwanolukurodo.weebly.com/uploads/1/3/5/3/135397368/1884596.pdf
    • https://cdn.sqhk.co/xotosobupis/gfhghij/say_hi_in_spanish.pdf
    • http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
    • https://kasorewo.weebly.com/uploads/1/3/2/7/132740312/kasobidazuxanov.pdf
    • http://workbykoder.xyz/what_is_the_meaning_of_tropic_of_cancer_in_hindixaccf.pdf
    • http://fherixq.com/elementary_statistics_a_step_by_step_approach_bluman_9th_editionmnq50.pdf
    • https://denudosija.weebly.com/uploads/1/3/4/0/134017010/petiro_womez.pdf
    • https://cdn.sqhk.co/vujenibolo/wDBTsje/filme_furia_de_titas_2_elenco.pdf
    • https://sufudavinor.weebly.com/uploads/1/3/1/3/131381021/mufiwopaji.pdf
    • https://lizoduloto.weebly.com/uploads/1/3/4/7/134701777/zitowifixifeba-kemufe-zemukej.pdf
    • https://sawotulexude.weebly.com/uploads/1/3/5/2/135298589/3585343.pdf
    • https://cdn.sqhk.co/suxavawudomo/ia06sGs/fasifitesilusisimise.pdf
    • https://guxemufisi.weebly.com/uploads/1/3/2/7/132710659/1450f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/78f62381-31b1-4233-8af4-5cf5501f0746/what_is_a_good_nfl_40_yard_dash_time.pdf
    • https://uploads.strikinglycdn.com/files/b75236e6-23a8-4c56-bdb7-1bff5faf6642/argumentative_essay_examples_grade_5.pdf
    • https://uploads.strikinglycdn.com/files/b62380a8-39e5-4b7a-8d58-302121803768/all_souls_day_2020_uk.pdf
    • https://uploads.strikinglycdn.com/files/1b4b910b-94af-4a10-9dd7-3c48444f3ae0/nazurawed.pdf
    • https://uploads.strikinglycdn.com/files/035d0e75-c331-4007-86db-9cdddecdd9b6/darkest_days_stabbing_westward_lyrics.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec90.bin
8efbc5fc3bc16e6f560f6e8224bf5648fa2dc703166f7c9f7f196cefd18ac95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC90 5620 bytes
font_01_sfnt_off0000ffc7.bin
a224364665ca2eed373312825d243b59b9869052fb9da8e3c7692e814e7c90e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC7 14108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.